A method of authentication and authorization over a communications system is provided. Disclosed herein are systems and methods for creating a cryptographic evidence, called authentication/authorization evidence, AE, when a successful authentication/authorization between a client and an authentication server is complete. There are a variety of methods for generating AE. For instance, the AE can be data that is exchanged during the authentication signaling or data that results from it. A distinctive point being that AE results from the authentication process and is used as prior state for the following TLS exchange. An example for creation of AE, is as follows: EAP authentications typically result in an Extended Master Session Key (EMSK). The EMSK can be used to create an Evidence Master Key (EMK) that can then be used to create AE for a variety of servers.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method of authentication and secure communication establishment between a first server and a device over a communication system, comprising: a second server performing a first authentication process with the device including a device authentication using a set of device credentials and a subscriber authentication using at least one subscriber credential, a secure tunnel being established with the device based on the device authentication and being used to perform the subscriber authentication, the first authentication process including creation of a set of at least one authentication evidence at the device and the second server, wherein the first server performs a second authentication process and a secure tunnel establishment protocol with the device, the set of at least one authentication evidence created during the first authentication process being used as a factor in the second authentication process, wherein the set of at least one authentication evidence is provided by the second server to the first server through a communication exchange on at least one of the conditions of the first server requesting for authentication evidence when needed and the second server proactively providing the at least one authentication evidence.
2. The method of claim 1 , wherein the first authentication process creates an evidence master key that is used to create more than one cryptographically separate authentication evidences distinguished by at least one of the service identifier, server identifier and authentication evidence number.
3. The method of claim 1 , wherein the first authentication process is an Extensible Authentication protocol (EAP) process.
4. The method of claim 1 , wherein the at least one authentication evidence is not directly available to the first server and the second server performs verification of the authentication evidence on behalf of the first server when requested.
5. The method of claim 1 , wherein the at least one subscriber credential includes a subscriber identity and the device credentials include a device identity, and the first authentication process further comprises binding the subscriber identity to the device identity.
6. The method of claim 1 , wherein the second authentication process and secure tunnel establishment protocol is at least one of Transport Layer Security (TLS) and Secure Socket Layer (SSL).
7. The method of claim 1 , wherein the at least one authentication evidence is used as a random number within the key exchange for secure tunnel establishment.
8. The method of claim 4 , wherein the at least one authentication evidence uses at least one of the pre-master key, client random key and a pre-shared key.
9. The method of claim 5 , wherein the subscriber authentication uses at least one of a pre-master key, client random key and a pre-shared key.
10. The method of claim 1 , wherein after the second authentication process and secure tunnel establishment is completed, the at least one authentication evidence is used as an additional authentication factor in a follow up authentication exchange between the first server and the device.
11. The method of claim 10 , further comprising aborting the secure tunnel if the follow up authentication exchange fails.
12. The method of claim 10 , wherein the follow up authentication exchange is a challenge response mechanism using the at least one authentication evidence as a secret residing at least at one of the first and the second servers.
13. A communication system, comprising: a network-enabled device comprising: at least one component configured to engage in a first authentication exchange with a server and create a set of at least one authentication evidence, the at least one component being further configured to engage with another server to perform an authentication and secure tunnel establishment protocol, the at least one authentication evidence being used as an authentication factor; and an authentication and authorization arrangement, comprising: a first server configured to authenticate a device and establish a secure tunnel with the device based on a set of device identity and credentials; and a second server configured to authenticate the device and create authentication evidence and assist the first server in use of the authentication evidence in establishment of the secure tunnel, the second server configured to perform a subscriber authentication using at least one subscriber credential, a second secure tunnel being established between the second server and the device based on the device authentication and being used to perform the subscriber authentication, wherein the authentication evidence created by the second server is provided by the second server to the first server through a communication exchange on at least one of the conditions of the first server requesting for authentication evidence when needed and the second server proactively providing the authentication evidence.
14. The method of claim 1 , wherein the subscriber credentials are communicated over the secure tunnel for the subscriber authentication.
15. The communication system of claim 13 , wherein the at least one subscriber credential is communicated over the secure tunnel for the subscriber authentication.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
August 10, 2011
October 7, 2014
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.